The purpose of password encoding is to deter casual observation
of passwords in server configuration and property files.
Before you begin
Make sure all server profiles within the administration
console reside
on the same IBM® i system.
About this task
By default, passwords
are automatically encoded with a simple masking
algorithm in various ASCII configuration files for WebSphere
® Application
Server. You
can manually encode passwords in properties files that are used by Java clients
and by Application Server administrative commands.
For a description
of
the OS400 encoding algorithm, see Password encoding and encryption.
To enable the OS400 password encoding algorithm for a WebSphere Application
Server profile,
complete these steps:
Procedure
- Set the os400.security.password
properties to turn on the OS400
password encoding algorithm and to specify which the validation list
object
to use.
Use the same validation list object for all WebSphere Application
Server profiles. However, it is not recommended if you do not back
up the
objects and data for all profiles simultaneously. Consider your backup
and
restore policy when you decide what validation list object to use
for each WebSphere Application
Server profile.
To set the properties, complete one of these
steps:
- Use the -os400passwords and -validationlist options
for
the manageprofiles -create utility, which is located in the app_server_root/bin directory,
to set the properties when creating the profile. To create a WebSphere Application
Server profile named prod, and to enable that profile for the OS400
encoding
algorithm using the /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL validation
list
object, you can complete the following steps:
- Run the Start
Qshell (STRQSH) command on the IBM i
command line.
- In Qshell, run the following command:
app_server_root/bin/manageprofiles
-create -profileName prod -startingPort 10150
-templatePath default -os400passwords
-validationlist /QSYS.LIB/QUSRSYS.LIB/WAS.VLDL
The previous
command is on multiple lines for illustration purposes only.
- Set the Java system
properties in the setupCmdLine Qshell
script of the WebSphere Application
Server profile. To enable the OS400 password encoding algorithm, edit
the profile_root/bin/setupCmdLine script
using the following steps:
- Set the os400.security.password.encoding.algorithm
property to OS400.
The default setting is XOR.
- Set the os400.security.password.validation.list.object
property to the
absolute name of the validation list that you need to use. The default
setting
is /QSYS.LIB/QUSRSYS.LIB/EJSADMIN.VLDL.
- Save the
file.
- Grant the QEJB
user profile run authority (*X) to the library that
contains the validation list. If QEJB already has the minimum
required
authority (*X) to access the library, then proceed to the next step.
- Use the Display Authority (DSPAUT) to check
for the minimum
required authority if the validation list is created in the /QSYS.LIB/WSADMIN.LIB file.
For example:
DSPAUT OBJ('/QSYS.LIB/WSADMIN.LIB')
- Use the Change Authority (CHGAUT) command
to grant run authority
to the QEJB profile only if the QEJB profile does not already have
this authority.
For example:
CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB') USER(QEJB) DTAAUT(*X)
- Create a native validation
list object (*VLDL). This
step is optional for server profiles. The validation list object is
created
when the server is started. For remote profiles, create the validation
list
if the validation list does not already exist on the system that hosts
the
remote profile. Also, consider your backup and restore policy when
you decide
what validation list object to use with each remote profile.
Attention: When
you use the OS400 password encoding algorithm, the Java client
is not required to reside on
the same IBM i system
as the WebSphere Application
Server profile that the client accesses.
To create a validation
list
object, perform the following steps with an IBM i
user profile that has *ALLOBJ special
authority:
- Sign on the server with
a user profile that has the *ALLOBJ
special authority.
- Use the Create Validation
List (CRTVLDL) command to create
the validation list object.
For example, to create the
WSVLIST
validation list object in the WSADMIN.LIB library, use the following
command:
CRTVLDL VLDL(WSADMIN/WSVLIST)
- Grant the QEJB user profile *RWX authority
to the validation
list object. For example, to grant *RWX authority to the
WSVLIST
validation list object in the WSADMIN library , use the following
command:
CHGAUT OBJ('/QSYS.LIB/WSADMIN.LIB/WSVLIST.VLDL') USER(QEJB) DTAAUT(*RWX)
- Use the Change System Value
(CHGSYSVAL) command to set the
QRETSVRSEC system value to 1. For
example:
CHGSYSVAL SYSVAL(QRETSVRSEC) VALUE('1')
- For server profile, start or restart the server
and wait until
the server is ready for service before attempting to manually encode
passwords
in properties files that belong to the profile.
Results
You have enabled the OS400 password encoding algorithm.